gluestack-ui-v4
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill directs the agent to execute
npx gluestack-ui@alpha init -y, which downloads and runs code directly from the npm registry. Since the gluestack organization is not on the trusted provider list, this is classified as a remote code execution risk. The severity is adjusted to MEDIUM as the action is intrinsic to the skill's primary purpose of library installation. - Evidence:
setup/SKILL.md - [COMMAND_EXECUTION] (MEDIUM): The agent is instructed to run shell commands to initialize projects and add components (e.g.,
npx gluestack-ui@alpha add --all -y). The use of the-yflag bypasses user confirmation during code execution. - Evidence:
setup/SKILL.md - [EXTERNAL_DOWNLOADS] (LOW): The skill requires downloading multiple external packages and components from the npm registry to complete the setup process.
- Evidence:
setup/SKILL.md
Audit Metadata